前言

对于误删除文件的设备,要马上停止任何写的操作,防止删除的文件被覆盖,导致数据丢失!

image.png

恢复NTFS文件系统下误删的文件

Windows为例,市面上能恢复的工具不少,例如EasyRecovery、易我数据恢复等等,本文就不再赘述,可以自行百度谷歌!

恢复ext4文件系统下误删的文件

[root@linux-node1 ~]# fdisk /dev/sdb 

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel

Building a new DOS disklabel with disk identifier 0x7ce28911.

Changes will remain in memory only, until you decide to write them.

After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to

         switch off the mode (command 'c') and change display units to

         sectors (command 'u').

Command (m for help): n

Command action

   e   extended

   p   primary partition (1-4)

p

Partition number (1-4): 1

First cylinder (1-2610, default 1):

Using default value 1

Last cylinder, +cylinders or +size{K,M,G} (1-2610, default 2610): +1G

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks.

[root@linux-node1 ~]# mkfs.ext4 /dev/sdb1

mke2fs 1.41.12 (17-May-2010)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

Stride=0 blocks, Stripe width=0 blocks

66384 inodes, 265064 blocks

13253 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=272629760

9 block groups

32768 blocks per group, 32768 fragments per group

7376 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376

Writing inode tables: done                            

Creating journal (8192 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 36 mounts or

180 days, whichever comes first.  Use tune2fs -c or -i to override.

[root@linux-node1 ~]# mkdir /sdb1  

[root@linux-node1 ~]# mount /dev/sdb1 /sdb1/

[root@linux-node1 ~]# df -h

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda3        19G  2.4G   16G  14% /

tmpfs           931M     0  931M   0% /dev/shm

/dev/sda1       190M   38M  142M  22% /boot

/dev/sdb1       988M  1.3M  935M   1% /sdb1

[root@linux-node1 ~]# cd /sdb1/

[root@linux-node1 sdb1]# ll

total 16

drwx------ 2 root root 16384 Oct  4 16:19 lost+found

[root@linux-node1 sdb1]# cp /etc/passwd .

[root@linux-node1 sdb1]# mkdir test

[root@linux-node1 sdb1]# mkdir test/a/b/c -p

[root@linux-node1 sdb1]# echo "1234">>1.txt

[root@linux-node1 sdb1]# ll

total 28

-rw-r--r-- 1 root root     5 Oct  4 16:24 1.txt

drwx------ 2 root root 16384 Oct  4 16:19 lost+found

-rw-r--r-- 1 root root  1929 Oct  4 16:23 passwd

drwxr-xr-x 3 root root  4096 Oct  4 16:23 test

[root@linux-node1 sdb1]# cp 1.txt ./test/a/

[root@linux-node1 sdb1]# cp 1.txt ./test/a/b/

[root@linux-node1 sdb1]# tree

.

├── 1.txt

├── lost+found

├── passwd

└── test

    └── a

        ├── 1.txt

        └── b

            ├── 1.txt

            └── c

5 directories, 4 files

[root@linux-node1 sdb1]# cd

[root@linux-node1 ~]# rz extundelete-0.2.4.tar.bz2

[root@linux-node1 ~]# tar jxvf extundelete-0.2.4.tar.bz2

[root@linux-node1 ~]# cd extundelete-0.2.4

[root@linux-node1 extundelete-0.2.4]# yum install -y e2fsprogs-devel

[root@linux-node1 extundelete-0.2.4]# ./configure

[root@linux-node1 extundelete-0.2.4]# make -j 4

[root@linux-node1 extundelete-0.2.4]# make install

Making install in src

  /usr/bin/install -c extundelete '/usr/local/bin'

[root@linux-node1 extundelete-0.2.4]# ll /usr/local/bin/

total 1160

-rwxr-xr-x 1 root root 1187263 Oct  7 21:34 extundelete

[root@linux-node1 ~]# yum install -y extundelete  ##实在不行就用yum安装

[root@linux-node1 ~]# rm -rf /sdb1/*

[root@linux-node1 ~]# umount /sdb1/

[root@linux-node1 ~]# mkdir /root/back

[root@linux-node1 ~]# cd back/

方法1:通过inode恢复被删除的文件(ext4文件系统的分区根目录的inode值为2)

[root@linux-node1 back]# extundelete /dev/sdb1 --inode 2

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 9 groups loaded.

Group: 0

Contents of inode 2:

0000 | ed 41 00 00 00 10 00 00 07 0d ba 5b 0f 0d ba 5b | .A.........[...[

0010 | 0f 0d ba 5b 00 00 00 00 00 00 02 00 08 00 00 00 | ...[............

0020 | 00 00 00 00 07 00 00 00 4b 00 00 00 00 00 00 00 | ........K.......

0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0080 | 1c 00 00 00 88 d8 89 9c 88 d8 89 9c 8c 33 43 58 | .............3CX

0090 | 19 cd b5 5b 00 00 00 00 00 00 00 00 00 00 00 00 | ...[............

00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

 

Inode is Allocated

File mode: 16877

Low 16 bits of Owner Uid: 0

Size in bytes: 4096

Access time: 1538919687

Creation time: 1538919695

Modification time: 1538919695

Deletion Time: 0

Low 16 bits of Group Id: 0

Links count: 2

Blocks count: 8

File flags: 0

File version (for NFS): 0

File ACL: 0

Directory ACL: 0

Fragment address: 0

Direct blocks: 75, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

Indirect block: 0

Double indirect block: 0

Triple indirect block: 0

File name                | Inode number | Deleted status

.                        2

..                       2

lost+found                 11             Deleted

passwd                   12             Deleted

test                    7377           Deleted

1.txt                   16             Deleted

[root@linux-node1 back]# extundelete /dev/sdb1 --restore-inode 12

[root@linux-node1 back]# tree

.

└── RECOVERED_FILES

    └── file.12

1 directory, 1 file

[root@linux-node1 back]# diff /etc/passwd RECOVERED_FILES/file.12

[root@linux-node1 back]#

方法2:通过文件名恢复数据

[root@linux-node1 back]# extundelete /dev/sdb1 --restore-file passwd

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 9 groups loaded.

Loading journal descriptors ... 76 descriptors loaded.

Successfully restored file passwd

[root@linux-node1 back]# tree

.

└── RECOVERED_FILES

    ├── file.12

    └── passwd

1 directory, 2 files

[root@linux-node1 back]# diff

diff      diff3     diffstat  

[root@linux-node1 back]# diff RECOVERED_FILES/

file.12  passwd   

[root@linux-node1 back]# diff RECOVERED_FILES/passwd /etc/passwd

[root@linux-node1 back]#

方法3:通过目录恢复数据

[root@linux-node1 back]# extundelete /dev/sdb1 --restore-directory test

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 9 groups loaded.

Loading journal descriptors ... 76 descriptors loaded.

Searching for recoverable inodes in directory test ...

9 recoverable inodes found.

Looking through the directory structure for deleted files ...

4 recoverable inodes still lost.

[root@linux-node1 back]# tree

.

└── RECOVERED_FILES

    ├── file.12

    ├── passwd

    └── test

        └── a

            ├── 1.txt

            └── b

                └── 1.txt

4 directories, 4 files

[root@linux-node1 back]# cat  RECOVERED_FILES/test/a/1.txt

1234

[root@linux-node1 back]# cat  RECOVERED_FILES/test/a/b/1.txt

1234

方法4:恢复所有数据

[root@linux-node1 back]# rm -rf RECOVERED_FILES/

[root@linux-node1 back]# ll

total 0

[root@linux-node1 back]# extundelete /dev/sdb1 --restore-all

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 9 groups loaded.

Loading journal descriptors ... 76 descriptors loaded.

Searching for recoverable inodes in directory / ...

9 recoverable inodes found.

Looking through the directory structure for deleted files ...

0 recoverable inodes still lost.

[root@linux-node1 back]# tree

.

└── RECOVERED_FILES

    ├── 1.txt

    ├── passwd

    └── test

        └── a

            ├── 1.txt

            └── b

                └── 1.txt

4 directories, 4 files

[root@linux-node1 back]# diff RECOVERED_FILES/passwd /etc/passwd

[root@linux-node1 back]# cat RECOVERED_FILES/test/a/1.txt

1234

[root@linux-node1 back]# cat RECOVERED_FILES/test/a/b/1.txt

1234

extundelete在恢复文件的时候不能自动创建空文件和目录

xfs文件系统中用xfsdump备份和恢复文件

一、挂载一块新的磁盘

[root@zabbix-server ~]# fdisk /dev/sdb

Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.

Be careful before using the write command.

Device does not contain a recognized partition table

Building a new DOS disklabel with disk identifier 0xac54c138.

Command (m for help): p

Disk /dev/sdb: 21.5 GB, 21474836480 bytes, 41943040 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0xac54c138

   Device Boot      Start         End      Blocks   Id  System

Command (m for help): n

Partition type:

   p   primary (0 primary, 0 extended, 4 free)

   e   extended

Select (default p): p

Partition number (1-4, default 1):

First sector (2048-41943039, default 2048):

Using default value 2048

Last sector, +sectors or +size{K,M,G} (2048-41943039, default 41943039): +1G

Partition 1 of type Linux and of size 1 GiB is set

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks.

[root@zabbix-server ~]# mkfs.xfs /dev/sdb1

meta-data=/dev/sdb1              isize=512    agcount=4, agsize=65536 blks

         =                       sectsz=512   attr=2, projid32bit=1

         =                       crc=1        finobt=0, sparse=0

data     =                       bsize=4096   blocks=262144, imaxpct=25

         =                       sunit=0      swidth=0 blks

naming   =version 2              bsize=4096   ascii-ci=0 ftype=1

log      =internal log           bsize=4096   blocks=2560, version=2

         =                       sectsz=512   sunit=0 blks, lazy-count=1

realtime =none                   extsz=4096   blocks=0, rtextents=0

[root@zabbix-server ~]# mkdir /sdb1

[root@zabbix-server ~]# mount /dev/sdb1 /sdb1/

[root@zabbix-server ~]# cd /sdb1/

[root@zabbix-server sdb1]# cp /etc/passwd .

[root@zabbix-server sdb1]# mkdir test

[root@zabbix-server sdb1]# touch test/a.txt

[root@zabbix-server sdb1]# tree

.

├── passwd

└── test

    └── a.txt

1 directory, 2 files

二、进行备份

2.1、备份整个分区(这个功能类似快照,能快速恢复)

注意:备份的路径不能写成/sdb1/ 应是/dev/sdb1 /sdb1

[root@zabbix-server ~]# xfsdump -f /opt/dump-sdb1 /dev/sdb1

xfsdump: using file dump (drive_simple) strategy

xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

 ============================= dump label dialog ==============================

please enter label for this dump session (timeout in 300 sec)

 -> dump-sdb1

session label entered: "dump-sdb1"

--------------------------------- end dialog ---------------------------------

xfsdump: level 0 dump of zabbix-server:/sdb1

xfsdump: dump date: Sun Oct  7 14:00:24 2018

xfsdump: session id: c0ae2a93-b6f4-4d9f-9ccb-a2a2a1355ce2

xfsdump: session label: "dump-sdb1"

xfsdump: ino map phase 1: constructing initial dump list

xfsdump: ino map phase 2: skipping (no pruning necessary)

xfsdump: ino map phase 3: skipping (only one dump stream)

xfsdump: ino map construction complete

xfsdump: estimated dump size: 25856 bytes

xfsdump: /var/lib/xfsdump/inventory created

 ============================= media label dialog =============================

please enter label for media in drive 0 (timeout in 300 sec)

 -> sdb1-v1

media label entered: "sdb1-v1"

 --------------------------------- end dialog ---------------------------------

xfsdump: creating dump session media file 0 (media 0, file 0)

xfsdump: dumping ino map

xfsdump: dumping directories

xfsdump: dumping non-directory files

xfsdump: ending media file

xfsdump: media file size 23520 bytes

xfsdump: dump size (non-dir files) : 1568 bytes

xfsdump: dump complete: 137 seconds elapsed

xfsdump: Dump Summary:

xfsdump:   stream 0 /opt/dump-sdb1 OK (success)

xfsdump: Dump Status: SUCCESS

2.1.1、指定备份时免交互操作,方便后期做定时备份

[root@zabbix-server ~]# xfsdump -f /opt/dump-sdb1 /sdb1 -L dump-sdb1 -M sdb1-v2

xfsdump: using file dump (drive_simple) strategy

xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsdump: Dump Status: SUCCESS

2.1.2、备份某分区的目录或文件

参数:-s 文件路径,针对指定的文件进行备份,-s 指定时,路径写的是相对路径

[root@zabbix-server ~]# xfsdump -f /opt/dump-boot.grub2 -s grub2/fonts /boot -L dump-boot -M boot.grub2

xfsdump: using file dump (drive_simple) strategy

xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsdump: Dump Status: SUCCESS

2.1.3、查看备份的信息

[root@zabbix-server ~]# ll /var/lib/xfsdump/inventory/

total 28

-rw-r--r-- 1 root root  312 Oct  7 14:30 036e12ba-88fc-4e0c-9eb1-2fe312d02176.InvIndex

-rw-r--r-- 1 root root  312 Oct  7 14:12 117f7835-83c8-471b-b69f-55743fa9f8e7.InvIndex

-rw-r--r-- 1 root root 5080 Oct  7 14:30 bd6e4e4d-6f0d-47e5-be33-bb0faa452331.StObj

-rw-r--r-- 1 root root 6416 Oct  7 14:12 d40f0506-c377-40c3-a3ad-df2c2ecd65af.StObj

-rw-r--r-- 1 root root 1120 Oct  7 14:30 fstab

[root@zabbix-server ~]# xfsdump -I

file system 0:

fs id:  117f7835-83c8-471b-b69f-55743fa9f8e7

session 0:

media id: 60cf7316-3c71-4899-bf7e-1215d7ddb9f1

.......

session 1:

mount point: zabbix-server:/sdb1

.......

session 2:

mount point: zabbix-server:/sdb1

.......

session 3:

mount point: zabbix-server:/sdb1

.......

xfsdump: Dump Status: SUCCESS

三、xfs文件系统的恢复和增量备份

3.1、文件的恢复

[root@zabbix-server ~]# rm -rf /sdb1/*

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

0 directories, 0 files

[root@zabbix-server ~]# xfsrestore -f /opt/dump-sdb1 /sdb1/

xfsrestore: using file dump (drive_simple) strategy

xfsrestore: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsrestore: Restore Status: SUCCESS

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── passwd

└── test

    └── a.txt

1 directory, 2 files

3.2、文件的增量备份和恢复

3.2.1:增量备份

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── passwd

└── test

    └── a.txt

1 directory, 2 files

[root@zabbix-server ~]# xfsdump -f /opt/dump-full /sdb1 -L sdb1-full -M sdb1 

xfsdump: using file dump (drive_simple) strategy

xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsdump: Dump Status: SUCCESS

[root@zabbix-server ~]# touch /sdb1/a.txt /sdb1/b.txt 

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── a.txt

├── b.txt

├── passwd

└── test

    └── a.txt

1 directory, 4 files

[root@zabbix-server ~]# xfsdump -l 1 -f /opt/dump-bak1 /sdb1 -L sdb1-full -M sdb1 

xfsdump: using file dump (drive_simple) strategy

xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsdump: Dump Status: SUCCESS

[root@zabbix-server ~]# touch /sdb1/test/1.txt /sdb1/test/2.txt 

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── a.txt

├── b.txt

├── passwd

└── test

    ├── 1.txt

    ├── 2.txt

    └── a.txt

1 directory, 6 files

[root@zabbix-server ~]# xfsdump -l 2 -f /opt/dump-bak2 /sdb1 -L sdb1-full -M sdb1 

xfsdump: using file dump (drive_simple) strategy

xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsdump: Dump Status: SUCCESS

3.2.2:备份恢复

[root@zabbix-server ~]# rm -rf /sdb1/*

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

0 directories, 0 files

[root@zabbix-server ~]# xfsrestore -f /opt/dump-full /sdb1/

xfsrestore: using file dump (drive_simple) strategy

xfsrestore: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsrestore: Restore Status: SUCCESS

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── passwd

└── test

    └── a.txt

1 directory, 2 files

[root@zabbix-server ~]# xfsrestore -f /opt/dump-bak1 /sdb1/

xfsrestore: using file dump (drive_simple) strategy

xfsrestore: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsrestore: Restore Status: SUCCESS

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── a.txt

├── b.txt

├── passwd

└── test

    └── a.txt

1 directory, 4 files

[root@zabbix-server ~]# xfsrestore -f /opt/dump-bak2 /sdb1/

xfsrestore: using file dump (drive_simple) strategy

xfsrestore: version 3.1.7 (dump format 3.0) - type ^C for status and control

.......

xfsrestore: Restore Status: SUCCESS

[root@zabbix-server ~]# tree /sdb1/

/sdb1/

├── a.txt

├── b.txt

├── passwd

└── test

    ├── 1.txt

    ├── 2.txt

    └── a.txt

1 directory, 6 files